Virtual Private Networks or VPNs are rapidly growing in popularity. In a VPN, a shared network is augmented on a secure basis through encryption or tunneling. “Tunneling” refers to a process of encapsulating an encrypted data packet in an Internet Protocol or IP packet or frame relay frames for secure transmission across an inherently insecure, or untrusted, network, such as the Internet, an intranet, and a frame relay network. The leading tunneling protocols are currently IP Security (IPSec), Layer 2 Tunneling Protocol (L2TP), Point-to-Point Tunneling Protocol (PPTP), and SOCKSv.5. In a typical VPN application, a telecommuter dials into an Internet Service Provider or ISP. The ISP's router recognizes the request for a high-priority, secure tunnel from a remote secured communications client across the Internet to a corporate security gateway router to permit remote access of the corporate intranet. The tunnel would be set up through all the intermediate routers, effectively weaving its way through other, lower-priority Internet traffic. Additional security is frequently provided by a firewall positioned between the telecommuter's communication device and the Internet.
A firewall is a combination of hardware and software that limits the exposure of a computer or group of computers to an attack from outside. There are several types of firewalls, namely packet filter, circuit gateway, application gateway, or trusted gateway. A network-level firewall, or packet firewall, examines traffic at the network protocol packet level. An application-level gateway examines traffic at the application level, e.g., FTP, E-mail, or Telenet, and readdresses outgoing traffic so it appears to have originated from the gateway rather than from the internal host. As will be appreciated, a “host” refers to any computational component on a network, whether or not its primary purpose is to provide resources via the network. This type of firewall is known as a Network Address Translation or NAT firewall.
A NAT firewall or gateway allows an enterprise local area network to use one set of IP addresses for internal traffic and a second set of addresses for external traffic. There are two types of NAT. First, Network. Address Port Translation or NAPT refers to network address translation involving the mapping of port numbers (e.g., the source port number is replaced with a randomly chosen, unused port number of the gateway), which can allow multiple internal addresses to be mapped to a single IP address (known as an “overloaded” NAT). NAT with port-translation has two sub-types, namely source address translation (source NAT) (which rewrites the IP address of the internal device which initiated the connection) and destination address translation (destination NAT). Second, basic NAT or static NAT performs address translation but not port mapping.
Under any of the above types of NAT when packets pass through the NAT gateway, they are modified to shield the IP address of the internal device from the Internet host. The NAT gateway records its packet header changes in a state table. Neither internal devices nor the Internet host to a session is aware of the session packet header changes. When the Internet host replies to an internal device's packets, the response packets are addressed to the NAT gateway's external IP address at the translation port. The NAT gateway searches the state table to determine if the response packets match an already established connection. The match is based on the TCP or UDP client port numbers in the case of overloaded NAT or IP address and port number when multiple public addresses are available. Based on the match, the NAT gateway then makes the opposite changes to the response packets and forwards them to the internal device.
NAT can introduce complications in communication between hosts. Hosts behind a NAT gateway do not have true end-to-end connectivity and cannot participate in some Internet protocols. Services that require the initiation of TCP connections from the outside the network, or stateless protocols such as those using UDP, can be disrupted. Unless the NAT gateway makes a specific effort to support such protocols, incoming packets cannot reach their destination. Use of NAT further complicates security protocols, such as IPSec.
By way of illustration, NAT gateways use different methods of encapsulating IP telephony data in encrypted packets that pass over a Small Office Home Office or SOHO gateway. The end user of a VPN telecommunications device must know the particular encapsulation method to configure properly the VPN device so that it presents properly the packets to the gateway. If the user does not know which encapsulation methods are being used, the user is required to configure exhaustively all possible combinations to find the method being used.